Password management: Facing the problem

Security Strategies This newsletter is sponsored by Credant Video: Majority Say iPods are a Security Risk In a recent survey hundreds of IT executives were asked how they view and use portable storage and media devices. And they were also asked how they protect their corporate data from these potentially troubling devices. Watch this video to get an understanding of how people are thinking about this threat. Network World's Security Strategies Newsletter, 10/11/07 Password management: Facing the problem By M. E. Kabay In my last two columns, I’ve been looking at the pervasive problems we have in the security field in overcoming natural human tendencies to misjudge risk. In particular, I’ve pointed out that the well-known and documented tendency of normal people to write down passwords is a consequence of deep-seated difficulties we face in our in-built abilities to interpret and manage risk. When I was reconnecting recently with an old friend from my NCSA (National Computer Security Association) days in the 1990s, I visited her employer’s Web site and found an interesting method for helping users avoid writing down their passwords (or choosing bad ones or even sharing them casually): Passfaces.  This software allows users to pick out recognizable faces that will authenticate them to their systems. Perhaps the best introduction is to look at the “Online User Manual” posted about the free “Passfaces Personal” product that anyone can download and try. Webcast: Get the latest on NAC Learn the latest on Network Access Control in Network World's Perspectives Editorial Webcast. Discover how IT professionals can leverage this hot security technology in their networks, while also learning about key management areas that have not yet been perfected. To learn more click here. The basic idea is that a user sets up an array of photographs and puts some familiar ones into the pool to use as keys - the faces of people the user recognizes - then the software can produce a 3-by-3 grid of random selections, including one of the key pictures. The user picks out the familiar picture and then repeats the exercise twice more with new sets of eight strangers and one friend to authenticate the user. Versions are available for Windows, for Web-site access control and for financial applications. Passfaces offers a number of useful case studies and good PDF brochures about its products. I especially liked their white paper on “The Science Behind Passfaces,” which explains how human beings are particularly good at recognizing faces; indeed, it seems that we have special circuits that have evolved for rapid and accurate perception of faces. The paper cites the following as advantages of “using Passfaces over passwords” (quoting the list exactly): * Can’t be written down or copied * Can’t be given to another person * Can’t be guessed * Involve cognitive not memory skills * Can be used as a single or part of a dual form of authentication The power of the system is enhanced by setting parameters to interfere with misuse of the faces. For example: “In some high-security applications the grids of faces may be displayed only for a very short time. A half second is long enough for practiced users to recognize their Passfaces. Combined with masking (faces in a grid are overwritten with a common mask face) it is extremely difficult for “shoulder surfers” to learn the Passfaces as the user clicks on them. Users can also be given the option to enter the grid position of each Passfaces on a keypad, rather than picking them out on the screen.” Worth a glance, eh? [As always, I assure readers that I make any relationships to a vendor clear when I write about their product. I had never heard of Passfaces before I stumbled upon their Web site and have no financial interest at all in their product, although I think it’s pretty neat.] Editor's Note: See more on password alternatives here. Plus, see how Passfaces is being used at a healthcare company.   What do you think? Post a comment on this newsletter

MOST-READ STORIES: 1. Pinging through first full 'Internet census' in years 2. iPod Nano catches fire in man's pocket 3. The Wi-Fi T-shirt 4. Why Google's GPhone won't kill iPhone 5. Two schools flunk Cisco switches 6. Top 10 reasons Web sites get hacked 7. 5 IT projects that need your attention 8. SAP to buy Business Objects for $6.78B 9. 10 best Cisco videos on YouTube 10. GPhone in the wild!? MOST-DOWNLOADED PODCAST: 5 cool iPod tricks and tips

Contact the author: M. E. Kabay, PhD, CISSP-ISSMP is Program Director of the Master of Science in Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by Credant Video: Majority Say iPods are a Security Risk In a recent survey hundreds of IT executives were asked how they view and use portable storage and media devices. And they were also asked how they protect their corporate data from these potentially troubling devices. Watch this video to get an understanding of how people are thinking about this threat. ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007